All Products
Search

This Product

    Security Center:Scan for vulnerabilities

    Document Center

    Security Center:Scan for vulnerabilities

    Last Updated:Dec 08, 2023

    To ensure security of your assets, we recommend that you scan your assets for vulnerabilities on a regular basis. This topic describes the types of vulnerabilities that can be detected and fixed by Security Center. This topic also describes how to run an automatic periodic scan task on your servers and manually perform vulnerability scan.

    Vulnerability scan and fixing

    The following table describes the types of vulnerabilities that can be detected and fixed in each edition of Security Center.

    Note

    The following symbols are used in the table:

    • 对

    • 错

    Vulnerability type

    Feature

    Basic edition

    Value-added Plan edition

    Anti-virus edition

    Advanced edition

    Enterprise edition

    Ultimate edition

    Linux software vulnerability

    Manual vulnerability scan

    错

    错

    错

    对

    对

    对

    Periodic automatic vulnerability scan

    对

    对

    对

    对

    对

    对

    Vulnerability fixing

    错

    You must purchase a quota for vulnerability fixing or purchase vulnerability fixing based on the pay-as-you-go billing method.

    You must purchase a quota for vulnerability fixing or purchase vulnerability fixing based on the pay-as-you-go billing method.

    对

    对

    对

    Windows system vulnerability

    Manual vulnerability scan

    错

    错

    错

    对

    对

    对

    Periodic automatic vulnerability scan

    对

    对

    对

    对

    对

    对

    Vulnerability fixing

    错

    You must purchase a quota for vulnerability fixing.

    You must purchase a quota for vulnerability fixing.

    对

    对

    对

    Web-CMS vulnerability

    Manual vulnerability scan

    错

    错

    错

    对

    对

    对

    Periodic automatic vulnerability scan

    对

    对

    对

    对

    对

    对

    Vulnerability fixing

    错

    错

    错

    对

    对

    对

    Application vulnerability

    Manual vulnerability scan

    错

    错

    错

    错

    对

    对

    Periodic automatic vulnerability scan

    错

    错

    错

    错

    对

    对

    Vulnerability fixing

    错

    错

    错

    错

    错

    错

    Urgent vulnerability

    Manual vulnerability scan

    对

    对

    对

    对

    对

    对

    Periodic automatic vulnerability scan

    错

    错

    错

    对

    对

    对

    Vulnerability fixing

    错

    错

    错

    错

    错

    错

    Security Center scans for application vulnerabilities based on the following methods:

    • Web Scanner: inspects network traffic to detect vulnerabilities in your system. For example, you can use this method to scan for SSH weak passwords and remote command execution.

    • Software Component Analysis: identifies software versions to detect vulnerabilities in your system. For example, you can use this method to scan for vulnerabilities in Apache Shiro authorization and Kubernetes kubelet resource management.

    Web-CMS vulnerabilities that can be detected

    Component type

    Check item

    74CMS

    Multiple SQL injection vulnerabilities in 74CMS

    Privilege escalation vulnerability in 74CMS

    SQL injection vulnerability in 74CMS

    Arbitrary file deletion vulnerability in 74CMS v4.1.15

    Arbitrary file read vulnerability in the latest version of 74CMS

    DedeCMS

    Variable overwrite vulnerability in DedeCMS

    Arbitrary file upload vulnerability in DedeCMS

    Reinstallation vulnerability in DedeCMS

    Injection vulnerability in DedeCMS

    File upload vulnerability in DedeCMS

    Password resetting vulnerability in DedeCMS

    Vulnerability of arbitrary user logon from the frontend caused by cookie leaks in DedeCMS

    SQL injection vulnerability caused by session variable overwrite in DedeCMS

    Vulnerability of arbitrary file upload at the backend in DedeCMS

    SQL injection vulnerability in DedeCMS

    Template SQL injection vulnerability in DedeCMS

    SQL injection vulnerability caused by cookie leaks in DedeCMS

    Payment plug-in injection vulnerability in DedeCMS

    Arbitrary file deletion by registered users in DedeCMS V5.7

    CSRF protection bypass vulnerability in DedeCMS V5.7

    Arbitrary file upload by common users in DedeCMS select_soft_post.php

    Arbitrary file upload vulnerability in DedeCMS V5.7 SP2 (CVE-2019-8362)

    Discuz

    Code execution vulnerability in Discuz!

    MemCache + ssrf permission acquisition vulnerability (GetShell) in Discuz!

    Backend SQL injection vulnerability in Discuz!

    Arbitrary attachment download caused by privilege escalation vulnerabilities in Discuz!

    Arbitrary file deletion vulnerability in Discuz!

    Encrypted message forgery vulnerability caused by authcode function defects in Discuz!

    Command execution vulnerability in the backend database backup feature of Discuz!

    ECShop

    Code injection vulnerability in ECShop

    Password retrieval vulnerability in ECShop

    Injection vulnerability in ECShop

    ECShop backdoor

    Arbitrary user logon vulnerability in ECShop

    Backend SQL injection vulnerability in ECShop

    SQL injection vulnerability in ECShop

    Vulnerability of overwriting variables in the ECShop installation directory at the backend

    Code execution caused by SQL injection vulnerabilities in ECShop

    Secondary injection vulnerability in ECShop

    Backend permission acquisition vulnerability in ECShop (GetShell)

    Backend file download vulnerability in ECShop 2.7.3

    FCKEditor

    Arbitrary file upload vulnerability in FCKeditor

    Joomla

    Remote code execution (RCE) vulnerability caused by malformed deserialized packet injection in Joomla!

    Unauthorized user creation vulnerability in Joomla! (CVE-2016-8870)

    Core SQL injection vulnerability in Joomla! 3.7.0

    SQL injection vulnerability in Joomla!

    PHPCMS

    Injection vulnerability in PHPCMS

    AuthKey leak vulnerability in PHPCMS

    Wide byte injection vulnerability in PHPCMS v9

    Arbitrary file read vulnerability caused by frontend code injection in PHPCMS

    Permission acquisition vulnerability caused by some logic issues in PHPCMS (GetShell)

    AuthKey leak caused by AuthKey generation algorithm issues in PHPCMS

    SQL injection vulnerability in PHPCMS v9.6.2

    common.inc RCE vulnerability in PHPCMS 2008

    RCE vulnerability in template cache of PHPCMS 2008

    phpMyAdmin

    Deserialized injection vulnerability in phpMyAdmin

    CVE-2016-6617 SQL injection vulnerability in phpMyAdmin

    Permission acquisition vulnerability caused by checkPageValidity function defects in phpMyAdmin version 4.8.1 and earlier (GetShell)

    phpMyAdmin 4.8.5

    phpwind

    GET request CSRF vulnerability in PHPWind v9 task center

    Permission acquisition vulnerability caused by MD5 padding vulnerabilities in PHPWind v9 (GetShell)

    Backend SQL injection vulnerability in PHPWind

    Cross-site scripting (XSS) injection into UBB tag attributes in PHPWind

    ThinkPHP5

    Medium-risk permission acquisition vulnerability caused by cache function design flaws in ThinkPHP 5.0.10-3.2.3 (GetShell)

    High-risk RCE vulnerability in ThinkPHP 5.0

    RCE vulnerability in ThinkPHP 5.1.X to 5.1.30 (included)

    High-risk Request.php RCE vulnerability in versions earlier than ThinkPHP 5.0.24

    WordPress

    Arbitrary file upload vulnerability in WordPress

    IP address verification vulnerability in WordPress

    WP_Image_Editor_Imagick instruction injection vulnerability in WordPress

    XSS vulnerability in the bbPress plug-in of WordPress

    Mailpress RCE vulnerability in WordPress

    DOS vulnerability caused by arbitrary directory traversal in the backend plug-in update module of WordPress

    SQL injection vulnerability caused by arbitrary user logon to the backend plug-in of WordPress

    Username enumeration vulnerability in versions earlier than WordPress 4.7.1 (CVE-2017-5487)

    SQL injection vulnerability in WordPress

    XSS vulnerability in WordPress

    Content injection vulnerability in WordPress

    RCE vulnerabilities caused by the sitename field in WordPress Mail

    SQL injection vulnerability in the Catalogue plug-in of WordPress

    Arbitrary file deletion vulnerability in WordPress

    Permission acquisition vulnerability caused by multiple defects, such as Author permission path traversal in WordPress (GetShell)

    Application vulnerabilities that can be detected

    Vulnerability type

    Check item

    Weak passwords in system services

    OpenSSH services

    MySQL database services

    Microsoft SQL Server (MSSQL) database services

    MongoDB database services

    FTP, VSFTP, and ProFTPD services

    Memcache cache services

    Redis caching services

    Subversion control services

    Server Message Block (SMB) file sharing services

    Simple Mail Transfer Protocol (SMTP) email delivery services

    Post Office Protocol 3 (POP3) email reception services

    Internet Message Access Protocol (IMAP) email management services

    Vulnerabilities in system services

    OpenSSL heartbleed vulnerabilities

    SMB

    • Samba

    • Brute-force attacks against weak passwords

    RSYNC

    • Anonymous access to sensitive data

    • Brute-force attacks against password-based authentication

    Brute-force attacks against Virtual Network Console (VNC) passwords

    Brute-force attacks against pcAnywhere passwords

    Brute-force attacks against Redis passwords

    Vulnerabilities in application services

    phpMyAdmin weak passwords

    Tomcat console weak passwords

    Apache Struts 2 remote command execution vulnerabilities

    Apache Struts 2 remote command execution vulnerability (S2-046)

    Apache Struts 2 remote command execution vulnerability (S2-057)

    Arbitrary file uploads in ActiveMQ (CVE-2016-3088)

    Arbitrary file reads in Confluence

    CouchDB Query Server remote command execution

    Brute-force attacks against administrator weak passwords in Discuz!

    Unauthorized access to Docker

    Remote code execution in Drupal Drupalgeddon 2 (CVE-2018-7600)

    ECshop code execution vulnerabilities in logon endpoints

    Unauthorized access to Elasticsearch

    Elasticsearch MvelRCE CVE-2014-31

    Elasticsearch Groovy RCE CVE-2015-1427

    Expression Language (EL) Injection in Weaver OA

    Unauthorized access to Hadoop YARN ResourceManager

    Path traversal in JavaServer Faces 2

    Java deserialization in JBoss EJBInvokerServlet

    Anonymous access to Jenkins Manage (CVE-2018-1999001 and CVE-2018-1999002)

    Unauthorized access to Jenkins

    Jenkins Script Security Plugin RCE

    Unauthorized access to Kubernetes

    SQL injection vulnerabilities in the MetInfo getPassword interface

    SQL injection vulnerabilities in the MetInfo logon interface

    Arbitrary file uploads in PHPCMS 9.6

    PHP-CGI remote code execution vulnerabilities

    Actuator unauth RCE

    ThinkPHP_RCE_20190111

    Server-side request forgery (SSRF) in WebLogic UDDI Explorer

    SSRF in WordPress xmlrpc.php

    Brute-force attacks against the Zabbix web console

    OpenSSL heartbleed detection

    Unauthorized access to the WEB-INF directory in Apache Tomcat

    Server IP addresses of the web scanner

    When you use Security Center to scan for application vulnerabilities in your servers, Security Center simulates intrusions that are launched from the Internet to scan your servers. If your servers are protected by a security protection or monitoring system, such as Web Application Firewall (WAF) or Secure Operations Center (SOC), we recommend that you add the server IP addresses of the web scanner to the whitelist in your protection or monitoring system. This ensures that your scan tasks run as expected. You must add the following IP addresses to the whitelist in your protection or monitoring system:

    47.110.180.32, 47.110.180.33, 47.110.180.34, 47.110.180.35, 47.110.180.36, 47.110.180.37, 47.110.180.38, 47.110.180.39, 47.110.180.40, 47.110.180.41, 47.110.180.42, 47.110.180.43, 47.110.180.44, 47.110.180.45, 47.110.180.46, 47.110.180.47, 47.110.180.48, 47.110.180.49, 47.110.180.50, 47.110.180.51, 47.110.180.52, 47.110.180.53, 47.110.180.54, 47.110.180.55, 47.110.180.56, 47.110.180.57, 47.110.180.58, 47.110.180.59, 47.110.180.60, 47.110.180.61, 47.110.180.62, and 47.110.180.63

    Procedure

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

    2. In the left-side navigation pane, choose Risk Management > Vulnerabilities.

    3. On the Vulnerabilities page, manually perform vulnerability scan or run an automatic periodic scan task on your servers.

      • Manually perform vulnerability scan: If you want to immediately check whether vulnerabilities exist in your servers, you can use the quick scan feature to scan your servers for vulnerabilities.

        1. On the Vulnerabilities page, click Scan now.

          Before you perform quick scan, perform the following steps to check whether the required servers are added: Click Settings in the upper-right corner of the Vulnerabilities page. In the Settings panel, click Manage next to a vulnerability type.

        2. In the Scan for Vulnerabilities dialog box, select the type of the vulnerabilities that you want to scan for and click OK.

          After a scan task is created, you must wait for at least 15 minutes before you can stop the scan task.

          Note

          The scan task runs on all assets that are protected by Security Center and is complete within 30 minutes. You can refresh the page to view the most recent scan results.

      • Run an automatic periodic scan task.

        You can configure a scan cycle for an automatic periodic scan task. Then, Security Center runs the automatic periodic scan task to scan for vulnerabilities on your servers on a regular basis.

        1. In the upper-right corner of the Vulnerabilities page, click Settings.

        2. In the Settings panel, configure the parameters based on your business requirements.

          Parameter

          Description

          Linux Software

          Turn on or turn off the switches to enable or disable the scan for Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, and urgent vulnerabilities. After you turn on a switch, you can click Manage next to the switch to add or remove servers to scan.

          Windows System

          Web CMS

          Emergency

          Application

          Turn on or turn off the switch to enable or disable the scan for application vulnerabilities.

          YUM/APT Source Configuration

          Turn on or turn off the switch to specify whether to preferentially use YUM or APT sources of Alibaba Cloud to fix vulnerabilities.

          Before you fix a Linux software vulnerability, you must specify a valid YUM or APT source. If you specify an invalid YUM or APT source, the vulnerability may fail to be fixed. After you turn on the switch, Security Center automatically selects a YUM or APT source of Alibaba Cloud. This improves the success rate of vulnerability fixing. We recommend that you turn on YUM/APT Source Configuration.

          Emergency vul(s) Scan Cycle

          Specify the scan cycle for urgent vulnerabilities.

          Note

          • Only the Advanced, Enterprise, and Ultimate editions are supported. The default scan period is 00:00:00 to 07:00:00.

          • If your servers are deployed in a private network or urgent vulnerability detection is not required, you can set Emergency vul(s) Scan Cycle to Stop.

          • Your servers may be attacked in various ways. We recommend that you set Emergency vul(s) Scan Cycle to a value other than Stop. This way, Security Center detects urgent vulnerabilities on your servers in a timely manner.

          Application Vul(s) Scan Cycle

          Specify the scan cycle for application vulnerabilities.

          Note

          Only the Enterprise and Ultimate editions are supported. The default scan period is 00:00:00 to 07:00:00.

          Retain Invalid Vul for

          Specify the number of days after which a detected vulnerability is automatically deleted.

          If you do not handle a detected vulnerability and the vulnerability is no longer detected in multiple subsequent detection operations, the vulnerability is automatically deleted from the Vulnerabilities page after the specified number of days. If vulnerabilities of the same type are detected later, Security Center still generates alerts.

          Vul scan level

          Specify priorities for the vulnerabilities that you want Security Center to detect.

          Security Center detects and displays only the vulnerabilities with the priorities that you specify. For example, if you select High and Medium, Security Center detects the vulnerabilities of the High and Medium priorities to fix.

          Vulnerability Whitelist Settings

          If you do not want Security Center to detect a vulnerability, you can click Add rules to add the vulnerability to the vulnerability whitelist.

          Note

          After you create a vulnerability whitelist rule, you can modify the scope of the whitelist rule and delete the whitelist rule.

    What to do next

    • View the progress of vulnerability scan

      After you complete the configurations, Security Center scans your servers for vulnerabilities based on the configurations. You can click Task Management in the upper-right corner of the Vulnerabilities page to go to the Task Management page. Then, you can view the progress of vulnerability scan. After the scan is complete, you can click a tab on the Vulnerabilities page to view the most recent scan results.

    • View and handle vulnerabilities

      After vulnerability scan is complete, you can view and handle the detected vulnerabilities on the Vulnerabilities page. For more information, see View and handle vulnerabilities.